Selling Cookie Collected Consumer Data In Bankruptcy: A Dot-Com Dilemma
By Ethan Watts
Many consider the Internet to be the most important invention of the 20th century in the realm of telecommunications and computing.1 Although at the most fundamental level the Internet is simply a network of computers, it has grown to become an important part of millions of people’s lives.2 Today this global computer network is a virtually limitless source of information for those who have access to it, and provides its users with conveniences such as email, instant messaging, and online purchasing. This powerful and increasingly omnipresent tool has made life easier for Internet users all over the globe.
The Internet did not begin as the user-friendly global computer network it is today. The Internet had modest beginnings in the 1960s at the Defense Advanced Research Projects Agency (DARPA),3 and at that time was primarily used and understood by government and academic researchers. It was several decades later in the 1990s that the Internet experienced swift acceptance by the general public.4 The rapid acceptance of the Internet into the public mainstream was primarily fueled by the widespread adoption of browsers5 and the World Wide Web.6 Browsers and the World Wide Web allowed Internet users to begin easily accessing information contained in the linked computers around the globe that comprise the Internet.7 Today, for example, anyone with an Internet enabled computer in California could access information about the Coliseum on a Web site housed on a server located in Italy, or send an email to a friend in Japan. This aspect of the Internet which allows a user in one country to communicate, interact, or otherwise affect a user in another country gives the Internet an unavoidable international quality.
As with all great innovations, some bad has come with the good. Programming bugs, computer viruses, malicious hackers, computer fraud, child pornography Web sites, and other abuses of the Internet have grown in prevalence and scale as the Internet itself has become more ubiquitous. One of the most important developments of our time, the Internet, with all of its positive and negative elements, has presented many interesting issues to the international legal community.
One issue that has been particularly impacted by the Internet is consumer privacy. The appearance on the Internet of software such as spyware,8 and the practice of online profiling9 through the use of technologies such as Web bugs10 and cookies11 have made privacy on the Internet a hot topic.
However, consumer privacy is by no means an issue unique to the Internet. Companies have long sought to gather as much information about their potential and current customers as legally permissible. Both traditional brick-and-mortar companies12 and dot-coms collect information about consumers in the course of offering products and services. Many companies routinely obtain information about potential and existing customers through surveys, questionnaires, and other methods to better enable companies to target their advertising, and cater to their customer’s preferences.
This collection of information by brick-and-mortar companies through traditional means has sparked some debate, but evidenced by the number of consumers willing to divulge personal information in order to purchase goods and services, the collection of information by traditional means by brick-and-mortar companies seems to have more or less been accepted by the majority of consumers as a necessary byproduct of business.13
With the ultimate goal of showing why a sale of consumer data in bankruptcy should be permitted with certain qualifications, an examination of the nature of the information collected through Web sites will be necessary. It is the nature of the data that a dot-com has collected via its Web site and pursuant to its privacy policies that is at the crux of the issue, and a legal definition of this data is critical.
In addition to examining bankruptcy law, part II will explore both contract and property law in taking on the task of defining consumer data collected through Web sites, and the privacy policies which have become very common on Web sites today. The current legal framework concerning consumer privacy rights in the United States and Europe will also be discussed. The examination of the current consumer privacy rights legal framework in the United States will include federal and state law, and self regulation. European law and its effect on the current United States legal climate in the area of consumer privacy rights is also essential to the analysis because it has had a significant impact on ecommerce21 in the United States.
Part II will also briefly cover a recent history of consumer privacy law in the European Union (“E.U.”),22 and will then examine the legal environment as it exists today in the E.U. The E.U. Directive on the Protection of Personal Data23 and the European Convention on Human Rights and Fundamental Freedoms24 are included in the analysis. Also included is the United States reaction to European legislation and policy, and the Safe Harbor agreement (“Safe Harbor”)25 which is the result of negotiations between the United States and the E.U. regarding consumer privacy online. An understanding of Safe Harbor and its implications is critical to the overall analysis because of its international impact on consumer privacy online.26
Part III will draw conclusions based on the analysis in Part II and will discuss the benefits and liabilities of allowing the sale of consumer data in bankruptcy. Part III will make both legal and cost/benefit-analysis arguments in favor of allowing the sale of consumer data in bankruptcy to third parties. Finally, recommendations for future action in this area of the law will be made along with suggestions for a new treaty.27
II. EXAMINATION OF THE LAW
A. Bankruptcy Law
There are at least two fundamental questions at the heart of bankruptcy law. One question is how to reconcile the use of bankruptcy law to benefit the insolvent debtor with its use to assist the creditors.28 Should bankruptcy law be structured primarily in favor of the debtor or in favor of the creditor? This debate has existed in the United States at least as far back as the Civil War.29 One of the concepts underlying the arguments made by those favoring debtors is that bankruptcy offers the worthy debtor a “fresh start.”30 This concept views bankruptcy as a tool for the overburdened debtor to make good with creditors and begin again with a clean slate. The perceived strength of the fresh-start concept as an argument in favor of a pro-debtor system has varied over time, along with the tilt of the bankruptcy laws. However, the United States has never had a completely pro-debtor system.31 At the very least, bankruptcy law has traditionally given special status to certain property interests (e.g. mortgages) of creditors so that whether or not the debtor is entitled to a completely fresh start has always depended on the nature of the debt.32
Another fundamental issue in bankruptcy law concerns the efficient distribution of the debtor’s insufficient assets among multiple creditors with valid claims on those assets.33 Bankruptcy law has historically sought to resolve the tendency of creditors to “race to the assets” of the debtor by providing a framework under which the assets get apportioned rationally among creditors.34 This unsurprising tendency of creditors to race to the assets derives from the zero sum character of bankruptcy: one creditor’s gain is normally another’s loss. Bankruptcy law attempts to resolve this win-or-lose situation by placing creditors in certain classes, with some receiving their assets before the others (who simply get what is left over, if anything).35 Bankruptcy thus attempts to distribute insufficient assets to creditors in a clear, fair, and efficient manner.
Bankruptcy law also attempts to avoid wasting assets in a bankruptcy proceeding. On the pro-debtor side of the coin, there are circumstances in which the trustee of the estate36 may completely reject contractual obligations in order to sell assets.37 The effect of this power to reject contractual obligations is intended to enable a trustee in bankruptcy to take advantage of a contract by fulfilling its obligations if that would benefit the estate, or reject the contract if it would pose a burden on the estate.38
In addition to attempting to resolve questions concerning rights of debtors and creditors, the courts and law makers have had to grapple with the macroeconomic effects of bankruptcy law. For example, the manner and efficiency with which assets get distributed to creditors (which depends on the structure of the bankruptcy law) has an effect on the cost of credit.39 This is true because part of a creditor’s risk analysis will be its perception of how probable it is that the creditor will be able to collect debts in general, and in the event of bankruptcy in particular.40 The less efficiently assets are distributed in bankruptcy, the greater the perceived risk associated with bankruptcy, and therefore the more credit will cost in order to compensate for the added risk. This negative macroeconomic effect can be minimized by expediting the collection process for creditors in bankruptcy. At least two goals of bankruptcy law are to encourage the maximization of the value of the estate so as to come as close as possible to satisfying all debts, and to do so as fast as possible. The existence of provisions which enable a debtor to reject contractual obligations reflects this goal of value maximization and waste avoidance.41
ii. Bankruptcy Law Applied to Consumer Data
With all of the competing interests the bankruptcy laws have to address42 it is unsurprising that debtors and creditors have at times been rather creative in finding valuable assets. One example of this creativity is the sale of consumer data collected online. The sale of consumer data has become big business because of the data’s value to companies. This data is valuable because of its many uses, including marketing, and tracking sales trends and market share.43
After the technology bubble of the 1990s burst, insolvent dot-coms quickly discovered that the consumer data they had collected in the course of doing business was a valuable asset. Traditionally, bankruptcy laws have permitted the sale of consumer data.44 In general, consumer data is considered property of the company that collected it, and can be sold as part of the business or separately, as the company sees fit.45 As noted above, such consumer data can be quite useful, and often is the failed dot-com’s most valuable asset.46
B. Contract Law
While at first this offer, acceptance, and consideration conceptualization may seem straightforward, a problem arises upon further examination of the consideration in this typical scenario. The valid formation of a contract, in addition to the basic requirement of the existence of a promise or promises, requires consideration.52 Without consideration, a contract is potentially unenforceable.53
The fact that privacy policies and other online documents such as license agreements (when not conspicuous or required to be read) are in most cases not really part of the parties’ bargaining process argues in favor of not enforcing them as contracts. Some courts have agreed with this logic. In Ticketmaster Corp. v. Tickets.com, Inc.60 the United States District Court for the Central District of California found that a license agreement61 which was posted on Ticketmaster’s Web site and linked to at the bottom of the Ticketmaster Web site home page did not form a contract with Web site visitors because it did not force visitors to assent to the license before accessing Web pages.62 The court noted that “the terms and conditions are set forth so that the customer needs to scroll down the home page to find and read them.”63 The court also noted that Ticketmaster’s license agreement was different from many other company’s license agreements in that the Web site visitor is not forced click on an “agree” button before accessing the Web site and its services.64 The court went on to say in its opinion “It cannot be said that merely putting the terms and conditions in this fashion necessarily creates a contract with any one using the web site.”65
The Ticketmaster outcome makes sense in that, as the court seems to suggest, it cannot be assumed that Web site visitors read the license agreement before accessing the Web site. After all, how can something enter into the bargained for exchange if it was not even known to exist by one of the parties?
The United States Second Circuit Court of Appeals employed nearly identical reasoning in Specht v. Netscape Communications Corp.66 in which it found that when internet users downloaded software from Netscape Communication’s Web site, they did not manifest assent to the terms of a license agreement posted on the Web site. The license agreement was located on a submerged screen, and the court found that a reasonably prudent internet user would not have known or learned of the existence of the license terms before responding to Netscape Communications' invitation to download software.67
C. Contract Law and Bankruptcy Law Revisited
The bankruptcy code does not define the phrase “executory contract,” and jurisdictions are divided on an appropriate test.69 Some jurisdictions determine whether or not a contract is executory by applying the traditional “Countryman” test.70 A contract is considered executory and therefore meets the Countryman test only where the obligations of both parties to the contract “are so far unperformed that the failure of either to complete performance would constitute a material breach excusing the performance of the other.”71
Under section 365 of the Bankruptcy Code, an executory contract may be rejected subject to the court’s approval.74 If the contract were considered executory, then the one hurdle remaining for the debtor would be getting the court’s permission which is required for rejecting the contract under section 365(c).75
D. Property Law
So what exactly is this customer data that dot-coms collect from consumers? In order examine contract and bankruptcy law more meaningfully, it is important to define as best we can the data that is collected. It must be determined whether such information should be considered property and properly part of the bankruptcy estate.78
The other category of information collected is information that is simply gathered as the consumer interacts with the dot-com’s Web site.81 An example of information in this category is information about which Web pages a Web site visitor has viewed or the type of browser a visitor is using to view the Web pages.82
Information in the first category that is requested directly is most often gathered through the use of Web forms or online questionnaires that must be filled out by the prospective customer before purchasing goods or services from the dot-com.83 This form of information gathering probably causes less concern to the average consumer who at least is aware of the data being collected.84 It is the second form of information gathering that is more likely to worry some consumers.85
Although new technologies and the online environment have made this second, surreptitious form of information gathering more common, it is not unique to the Internet. One example of its practice in the brick-and-mortar business world is the use of ‘discount’ or ‘membership’ cards by grocery stores. Many consumers who shop at major grocery stores with these discount or membership cards may not realize that beyond saving a few cents on a bag of chips they are also facilitating the company’s collection of data concerning the consumer’s shopping habits.86 The grocery store then uses this information for marketing purposes, and in come instances will share the information with third parties.87 All that new technologies and the online environment have done is make the compilation of such customer lists much easier, and in many cases more valuable than lists accumulated by brick-and-mortar companies.88
Property, at the most general level, could be defined as an aggregate of valuable rights or interests in a thing which are protected by law.89 More specifically, property refers to ownership; “the unrestricted and exclusive right to a thing…”90 The “exclusive right” to a thing refers to fundamental rights associated with property, such as the right to exclude, transfer, possess, and use.91 These fundamental rights have been recognized by common law not only in owners of existing things, but also in owners who have created new entities.92
Entities, such as customer lists, which are comprised of individual pieces of information and which by themselves may not be very valuable, can become quite valuable when compiled in a meaningful way.93 The creation of customer lists has been viewed by the courts as just such an valuable entity, and consequently in many cases has been given trade secret status.94 There is strong support for this treatment of customer lists as trade secrets in the Uniform Trade Secrets Act.95 Many dot-coms’ customer lists would likely be included in the Uniform Trade Secrets Act’s definition of trade secrets, which includes information that is compiled and that “derives independent economic value… from not being generally known to, and not being readily ascertainable through proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”96
The treatment of customer lists as trade secrets, and the recognition that they are entities of value argues in favor of their status as property. The question becomes whether this entity (customer list) is property of the dot-com which it has a right to sell in bankruptcy. Bankruptcy courts answer this question in the affirmative – finding that such customer lists are valuable assets to be included as part of the estate under section 54197 of the bankruptcy code.98
E. Consumer Privacy Rights
i. Consumer Privacy Rights in the E.U.
The E.U. has taken a substantially more protective approach to consumer privacy online than the U.S. since the explosion of the Internet in the 1990s.99 This is at least partially a result of the fact that European countries tend to view privacy as a “fundamental right.”100
A comprehensive overview of the history of European privacy law is beyond the scope of this comment. However, some background will be helpful and will be achieved by examining the European Convention on Human Rights and Fundamental Freedoms (“ECHR”).101 The ECHR is a fairly lengthy and complicated document and this section is only intended as a general overview of the Convention. The Council of Europe (“Council”), which was founded in 1949 in “order to promote greater cooperation and understanding between European states”, drafted the ECHR.102 The Universal Declaration of Human Rights103 (“UDHR”) served as a guideline for the ECHR, but from the beginning the ECHR, unlike the UDHR, was intended to be a binding legal document.104
The ECHR guarantees, inter alia, the right to privacy. Article 8 states:
(1) Everyone has the right to respect for his private and family life, his home and his correspondence.
(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.105
Thus the Article sets up a two-part test in determining if there has been a violation of this Article. First, has there been an intrusion on the right of privacy? Second, is the governmental interference justified?
If an individual or state alleges a privacy violation, they can apply to the European Commission of Human Rights (“Commission”)106 for relief under the ECHR.107 If the Commission decides that there has been a prima facie violation, then the matter is investigated and the Commission seeks a friendly settlement between the applicant and the state.108 If a settlement cannot be reached, the Commission prepares a report stating an opinion as to whether the ECHR has been breached or not.109 The Commission or the state may refer the case to the European Court of Human Rights within a period of three months after the Commission’s decision.110
The ECHR is perhaps more far reaching than any privacy legislation in the United States, but does not have as direct an effect on American companies doing business with European consumers as other European legislation does. Perhaps the most important European legislation for issues regarding privacy rights online is the Data Protection Directive (“Directive”),111 which was adopted by the E.U.’s Council of Ministers on October 24, 1995.
After the Directive’s adoption, E.U. member states were given three years (until October 24, 1998) to bring their respective laws into compliance with the Directive.112 The Directive was then issued in 1998,113 and has since been incorporated as national law by all the E.U. member states except Ireland and Luxembourg.114
The Directive was issued out of increasing concern over the growing trend of companies collecting consumer information, and in order to set a clear standard of privacy for the member nations.115 The Directive has had a greater impact than some would have predicted in the area of e-commerce because the Internet has allowed personal data to be more easily collected and sold.116
The Directive attempts to protect individual informational privacy by imposing an affirmative obligation on E.U. governments and private industries that collect and “process” consumer data to do so only for specified and legitimate purposes.117 "Processing" is interpreted to include any collecting, recording, altering, and making of data available in any form.118 The individual whose data is to be processed must contractually consent to the processing or collection of his or her personal information, or the processing must be necessary to carry out pre-contractual measures undertaken at the request of the individual.119
Organizations can also process data when it is necessary for compliance with a legal obligation, or where the activity involved is an assignment of public interest, not involving an infringement of fundamental rights and freedoms.120
The Directive also grants individuals the privilege of requesting that erroneous data be corrected, and dictates that individuals must be given notice before any information may be collected or processed in any way.121 The notice must tell the individual why the information is being collected and any intended future uses of the collected data, and "the types of third parties to which [the organization] discloses the information and the choices and means the organization offers for limiting its use and disclosure."122
The Directive can best be described by noting its most fundamental principles, which can be found in Article 6:
1) Personal data has to be “processed fairly and lawfully.”123
2) Personal data can only be “collected for specified, explicit and legitimate purposes.”124
3) The data must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”125
4) The data has to be accurate and contemporary. If the data does not comport to this requirement, it must be erased.126
5) The data has to be kept in such a manner as to enable the identification of data subjects.127
The Directive also has an effect on entities beyond companies and consumers in E.U. member states. The Directive contains several provisions that deal with the flow of information and data across international borders.128 Those provisions essentially require that any personal data flowing out of member states must be adequately protected by the receiving country.129 The protections the receiving country must provide need to comply with the provisions of the Directive as if the receiving country were essentially an E.U. member state.130 There are, however, exceptions to this general rule.131
Examples of exceptions are when the subject of the personal data has fully consented to the transfer and use of the data in question, or when the transfer of personal data is necessary for an important public policy reason.132 Member states decide whether the receiving country has laws in place that adequately protect the personal data to be transferred.133 This decision will depend on the nature of the personal data and the method of transfer as well as the receiving country’s legal structure regarding privacy.
ii. Consumer Privacy Rights in the United States
While the E.U. has implemented relatively broad-based data protection legislation primarily in the form of the Data Protection Directive discussed above, the United States has generally been more hands-off in privacy regulation.134 The United States hands-off approach to privacy regulation on the Internet can be traced to an overall laissez faire attitude towards the Internet generally.135 This hands-off approach has relied more on industry self regulation than on broad-based legislation of the kind seen in Europe.136
The United States Constitution does not directly protect individual privacy, but the constitution has been interpreted to protect individual privacy – primarily from federal or state government invasion.137 The U.S. approach has been less in recognition of an explicit and absolute fundamental right to privacy, and more a balancing between the right to privacy and society’s interest in putting to use an individual’s information.138 Generally the U.S. has dealt with consumer privacy issues relating to the Internet through federal and state statutes and regulations, and through case law.139
Congress has passed a number of statutes which strive to protect individual privacy rights in personal information. Statutes that affect the issue of whether or not a dot-com should be allowed to sell consumer data in bankruptcy are addressed below, as are important pieces of legislation in the area of consumer privacy, but an exhaustive survey of all consumer privacy related statutes is unnecessary.
The Fair Credit Reporting Act (“FCRA”) is a fairly comprehensive statute passed by congress in 1970.140 The FCRA essentially dictates when information about consumers may be released without the consumer’s consent.141 The FCRA’s purpose is to ensure that consumer information on credit reports is confidential, relevant, and accurate.142 The FCRA notes that consumer reporting agencies have an important role in assembling and evaluating consumer credit and other information on consumers. The act states in part that “it is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information…”143
The FCRA does therefore address information collected online through Web sites, but it is explicitly targeted at credit-reporting companies. The FCRA says nothing about information collected by other entities (e.g. lists describing consumer preferences or biographical information) or even consumer information purchased by other entities from credit agencies or credit card companies.144
The Federal Privacy Act (“Privacy Act”) was passed by Congress in 1974.145 Like the FCRA, the Privacy Act is targeted at a certain class of data collectors which in the case of the Privacy Act is federal agencies.146 Similar to the FCRA in its treatment of personal information, the Privacy Act dictates that federal agencies may collect personal information to the extent that the data is relevant to accomplishing the agency’s goal.147 In another respect similar to the FCRA, the Privacy Act mandates that information collected must be accurate.148 This is just one of many examples of regulations affecting the federal government’s ability to use and disclose personal information.149
An example of a statute that is broader in its potential application to entities that collect information, yet more restricted in the type of information it applies to is the Video Privacy Protection Act (“VPPA”).150 The VPPA essentially prohibits the disclosure of consumer video rental histories.151
Although this statute prohibits the disclosure of information that could have been collected online, just as other statutes discussed above, it does not seem to directly apply to the fundamental issue of this comment which concerns the initial collection of personal information and then the sale of that information in bankruptcy.152
Perhaps the most pertinent piece of legislation to date (as to the issue presented in this comment) is a statute enacted by Congress to protect personal information collected online pertaining to children. The Children’s Online Privacy Protection Act (“COPPA”) was enacted in 1998 to provide safeguards for the use of information collected from children under the age of thirteen.153
Generally the COPPA regulates operators of Web sites directed to children that collect information from children.154 Some of the requirements of the COPPA include that such Web site operators provide notice on the Web site of “what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information…”155 Furthermore, the COPPA requires parental consent for the collection and use of personal information, a description of the type of information collected, and the opportunity to refuse to permit the Web site operator’s continued use of the information.156
While fairly far-reaching when it comes to children under the age of 13, the COPPA, like other statutes dealing with data collected online, does not really deal with the issue of a dot-com selling data in bankruptcy, at least at a fundamental level (insofar as it does not apply to all persons). After all, the vast majority of consumers online are persons over the age of 13.157 In effect what Congress has done thus far is target legislation at specific industries or issues, but it has left the general issue of online privacy to industry self regulation.158
b. Case Law
1. FTC Cases
The FTC has by far been the most active federal authority in enforcing consumer privacy online. The FTC typically will file suit against a dot-com which is in violation of the Federal Trade Commission Act (“FTCA”).159 A common violation has been when a dot-com has engaged in a “deceptive practice.”160 15 U.S.C. section 45 states in relevant part: “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”161 The FTC will find an act or practice deceptive if it has three elements: 1) there is a representation, omission, or practice that, 2) is likely to mislead consumers acting reasonably under the circumstances, and 3)the representation, omission, or practice is material.162
The GeoCities case was one of many cases in which the FTC sought to police online privacy. These and other cases deal with the periphery of the principal issue of whether an insolvent debtor should be permitted to sell data collected online in bankruptcy. There are cases which have dealt with and defined the sort of customer lists addressed in this comment – but the courts are split on the treatment of customer lists collected online.167 There have been very few cases dealing with the specific issue of dot-coms selling personal information in bankruptcy. One case that did address this specific issue is In re Toysmart.com.168
Toysmart.com was a Web site that sold educational children’s toys over the Internet.169 As part of doing business over the Internet, Toysmart.com collected information about consumers that purchased toys on its Web site.170 The information collected included names, addresses, shopping preferences, and family profiles.171
The information collected pertained to people who visited the Web site or purchased toys from Toysmart.com, and included information collected from children under the age of 13.172 As did many dot-coms in the late 1990s, Toysmart.com ran into financial difficulties, and its creditors filed an involuntary chapter 11 action against it. Toysmart.com then sought to sell its customer data base, which included the information it had collected on its customers.173
The district court did not share the FTC’s position on allowing a qualified buyer purchase the customer database and did not approve of the settlement agreement.184 Subsequently the issue was resolved when Walt Disney Company Incorporated (“Disney”), the parent company of Toysmart.com, decided to purchase the customer list and destroy it.185 It is unclear how the case would otherwise have been resolved if Disney had not decided to end the dispute by destroying the information. Obviously, the value of the information was lost when the information was destroyed. For what, one might ask? What exactly was the bankruptcy judge trying to accomplish by not allowing the two parties to settle the dispute? If it was to protect consumer’s privacy rights, was this really accomplished? Would consumers’ privacy rights have been compromised if their information had been sold to a successor-in-interest which operated in the same industry as the debtor? Perhaps the greatest good for the greatest number of interests involved would have been better served had the bankruptcy judge allowed the settlement agreement as proposed by the FTC and Toysmart.com.
2. Common Law Tort of Invasion of Privacy
c. Self Regulation
The United States has traditionally sought to enforce online privacy rights by industry “self-regulation.”190 Industry self-regulation is seen by many to be the most effective and least intrusive way to enforce privacy rights on the Internet.191
TRUSTe is a good example of an organization that has played an active role in the online community’s self-regulation. One of the goals of TRUSTe is giving online consumers “control over their personal information.”192 One of the ways TRUSTe attempts to accomplish this goal is by allowing its “privacy seal”193 to be placed on Web sites that comport with TRUSTe’s guidelines.194
Other examples of such watchdog organizations include Junkbusters.com, BBB Online (Better Business Bureau), and The Electronic Privacy Information Center.195 There are alliances consisting of major online companies such as the Online Privacy Alliance (“OPA”) whose members include America Online, Microsoft, Intel, and others.196 The OPA seeks to “support self-regulatory initiatives that create an environment of trust and that foster the protection of individuals’ privacy online and in electronic commerce.”197 Organizations such as the OPA have had varying levels of impact on consumer privacy online. Some have been successful, but as the FTC noted in its report to Congress on privacy online in 2000, self-regulatory initiatives have been successful to a certain extent, but have not fully resolved the issues of privacy online.198 It is difficult, however, to imagine any self-regulatory system or statutory scheme that would ever completely resolve all the issues associated with privacy online. Progress has been made through industry self-regulation, and furthermore, in the world’s leading market economy whenever there is demand it is probably safe to assume that companies will respond to that demand with products and services.199
iii. E.U. and U.S. Law Interaction: Safe Harbor
Given the state of U.S. online industry self-regulation it was clear at the time of the passage of the E.U. Directive that some U.S. companies might not be in compliance.200 The possibility of a significant loss in trans-Atlantic trade was enough to concern U.S. authorities, and intergovernmental negotiations commenced in 1998.201 These negotiations aimed to establish an agreement, or “Safe Harbor” to allow U.S. companies continued access to European consumers.202 The E.U. and U.S. did establish such an agreement which resulted in the Safe Harbor and its seven principles.
The seven Safe Harbor principles are:
1) Notice: among other requirements, the notice principle requires that the organization inform individuals about all purposes for which it collects and uses information, and the types of third parties to which it discloses the information. This notice must be clear and conspicuous, and given when individuals are first asked to provide personal information.203
2) Choice: this “opt out” principle mandates that the organization give the individual a choice whether their personal information is to be disclosed to a third party or to be used for a purpose that is incompatible with the purposes for which it was originally collected.204 For especially sensitive information, the individual must opt in before the information can be disclosed to a third party.205
3) Onward Transfer: the organization who wishes to transfer collected information (after the Notice and Choice principles have been satisfied) to a third party, must ascertain that the third party subscribes to the Safe Harbor principles or is subject to the Directive.206
4) Security: organizations collecting personal information must take reasonable precautions to protect it from loss, misuse, and unauthorized access, disclosure, alteration and destruction.207
5) Data Integrity: information must be relevant for the purposes for which it was collected, and the organization should take reasonable steps to ensure that the collected information is reliable, accurate, complete, and current.208
6) Access: individuals must have access to their personal information.209
7) Enforcement: there must be mechanisms for assuring compliance with the Safe Harbor principles – including remedies for individuals in the case of non-compliance.210
While perhaps more restrictive to dot-coms than an entirely self-regulated environment, the Safe Harbor principles are generally less restrictive than the Directive itself.211 On the other hand, companies that take part in Safe Harbor are essentially entering into an agreement with the Commerce Department and the E.U.212 As evidenced by the Safe Harbor’s principles 2 and 3, a bankrupt dot-com that falls under the purview of Safe Harbor may be in violation when it attempts to sell its consumer data. However, this may be in direct conflict with what is allowed under bankruptcy law.213 The outcome of a case involving a bankrupt dot-com which subscribed to Safe Harbor and attempted to sell its consumer data in potential violation of Safe Harbor would partly depend on the enforcement mechanism of Safe Harbor. In theory, the Safe Harbor enforcement mechanism is to be carried out by a system that the company set up in compliance with the Safe Harbor principles.214 If this mechanism fails, the last resort in enforcement is the FTC or other federal authorities which would have jurisdiction depending on the case.215 Federal authorities, in such a case, might recognize that this type of sale would benefit the estate by maximizing its value, and that consumer privacy interests are protected if the sale is made to a successor-in-interest. The FTC showed its willingness to allow just such a sale in In re Toysmart.com as mentioned supra.216
Even the FTC, which has been the most active governmental enforcement mechanism of consumer privacy online, agreed with a scheme in which a bankrupt dot-com would be able to sell consumer data to a successor-in-interest. Although flexibility may be a benefit in granting bankruptcy judges the discretion to allow or disallow such a scheme (as does the current United States legal framework, made apparent by the outcome in the Toysmart.com case), much clarity could be gained by establishing a treaty.219 Such a clear treaty would help guide both consumer and company expectations, while, as the FTC recognized in the Toysmart.com case, maintaining consumers’ privacy interests.
Such a treaty would also avoid the wasteful destruction of valuable information. One benefit of avoiding the destruction of valuable information is that it lowers the cost of credit. If creditors know that consumer information can be sold and therefore has value in a bankruptcy proceeding, the cost of extending credit will diminish accordingly.
Consumer information is most valuable when a substantial amount of it is aggregated, and it derives most of its value from the ability of companies to use it in targeted marketing and customizing consumer’s experiences at the companies’ Web sites.220 The ability to customize consumers’ experiences on a company Web sites is not only valuable to the company, but is of value to many consumers as well. Such customizations can make a consumer’s experience on a company Web site much more enjoyable and efficient. In addition, consumers and companies both benefit from targeted marketing of products and services made possible through the collection of consumer data. The companies save advertising dollars by being able to target consumers that are more likely to purchase their products or services, while consumers will enjoy advertising tailored to their interests, and will benefit from lower prices resulting from less money spent on wasteful advertising.
Such a treaty might also re-kindle venture capitalists’ interest in dot-coms.221 Venture capitalists would be assured that dot-coms that fail at least might have valuable consumer databases to sell in bankruptcy. This would decrease the risk associated with investing in dot-com startups, and would increase the funding available to them.
The courts have allowed the sale of consumer lists in the traditional brick-and-mortar company context. The proposed treaty would simply apply the same analysis and allow the sale of consumer lists collected online. Although these lists are obtained in differing ways and utilizing different technologies, the effect of obtaining them is essentially the same.
See Kevin Maney, A Century of Innovation, USA Today (1999), at http://www.beachbrowser.com/Archives/Opinion/Essays-of-Innovation.htm; see also Lemelson-MIT Survey Finds High School Students, Their Parents Agree - and Disagree - on the Most Important 20th Century Inventions, at http://web.mit.edu/invent/n-pressreleases/n-press-99index.html.
Although it is perhaps impossible to determine how many people use the Internet, and therefore equally impossible to determine for how many people the Internet is an important part of their lives, there are many surveys that attempt to estimate how many people use the Internet. How Many Online?, ComputerScope Ltd. (2001), at http://www.nua.ie/surveys/how_many_online/ (estimating the number of people online worldwide to be 605 million); Population Explosion, Jupitermedia Corporation (2003), at http://cyberatlas.internet.com/big_picture/geographics/article/0,1323,5911_151151,00.html.
The Defense Advanced Research Projects Agency (DARPA) was originally named the Advanced Research Projects Agency (ARPA). Barry M. Leiner, Et Al. A Brief History of the Internet, Internet Society, (August 4, 2000), at http://www.isoc.org/internet/history/brief.shtml.
Barry M. Leiner Et Al., A Brief History of the Internet, Internet Society, (August 4, 2000), at http://www.isoc.org/Internet/history/brief.shtml.
A browser (short for Web browser) is a software application used to locate and display Web pages. An example of a browser is Microsoft’s Internet Explorer which is a graphical browser that allows users to display graphics, video, audio, and text found on the Internet. Webopedia.com, (2003), at http://www.webopedia.com/TERM/b/browser.html.
The World Wide Web was invented by Tim Berners-Lee and is a system of servers that supports HTML (Hyper Text Markup Language) documents. These HTML documents (or Web pages) make enable links, graphics, video, and audio over the Internet. Essentially, the World Wide Web system is the online environment of Web pages that one sees today when navigating the internet. For an outline of the history of the Internet and the World Wide Web, see Robert Cailliau, A Little History of the World Wide Web, World Wide Web Consortium (1995), at http://www.w3.org/History.html.
7 Leiner Et Al., supra note 4.
Spyware is also called “adware.” Spyware is software that surreptitiously gathers user information from the user’s computer and Internet connection without his or her knowledge. The information is normally collected for advertising purposes. Spyware is typically downloaded from the Internet embedded in Freeware or Shareware programs. The spyware can be difficult to detect as it often only comprises a component of the desired software. When the spyware has been installed, it monitors user activity on the Internet and secretly transmits that information to another computer. Spyware can gather virtually any information housed in the user’s computer, and information relating to the user’s movement across the Internet. Because the spyware exists as an independent executable program, it has the ability to monitor keystrokes, scan files on the hard drive, snoop other applications such as chat programs or word processors, install other spyware programs, read cookies, change the default home page on the Web browser, consistently relaying this information to another computer where it is often used for advertising/marketing purposes or to sell the information to another party. The kind of information the spyware program can obtain is unnerving. E.g. spyware can gather information about the Websites the user has visited, e-mail addresses, and even passwords and credit card numbers. Typically users will unwittingly install spyware when they install some other program that they have downloaded from the Internet. Many Internet users have fallen victim to spyware when they have downloaded peer-to-peer file swapping programs that are available today (often for free). Spyware obviously raises issues of privacy. Beyond debatably violating a user’s privacy, spyware also uses the computer's memory, resources, and bandwidth as it sends information back to another computer through the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability. Licensing agreements that come with software downloads sometimes notify the user that a spyware program will be installed along with the requested software, but users may not always read these licensing agreements thoroughly enough to discover the spyware notification. For a definition of spyware, see Webopeia.com (2003), at http://www.webopedia.com/TERM/s/spyware.html.
Online profiling is normally conducted through the use of banner ads displayed on Web pages which are not necessarily selected or delivered by the Web site visited by a consumer, but by network advertising companies that manage and provide advertising for multiple unrelated Web sites. In addition to supplying the banner ads, these network advertising companies normally gather information about the consumers who click on their ads. The data gathered by network advertisers is often anonymous (i.e. the profiles are linked to the identification number of the advertising network's cookie on the consumer's computer rather than information that could be traced back to a particular individual), but in some instances the information gathered from consumers' clicks on Web site banner ads are combined with personally identifiable information. This is information that could be collected via other means and is often combined with information collected through other methods (e.g. surveys). This information is normally collected to allow the network advertisers to better target their advertisements (from the collected data advertising networks can make a variety of inferences about each consumer's interests and preferences). The result of this data collection and linkage is a profile of the consumer’s spending habits, tastes, preferences, etc. These profiles enable the advertising companies' computers to decide which advertisements should be delivered to a particular consumer. See Daniel L. Jaffe’s explanation of online profiling in a memo Donald S. Clark titled: Online Profiling Project – Comment, P994809/Docket No. 990811219-9219-01, at http://www.ftc.gov/bcp/profiling/comments/jaffe.htm.
Web bugs are also called “Web beacons” or “clear GIFs,” and are often used in combination with cookies (see below). A Web bug is normally a transparent graphic image (e.g. a JPEG or GIF file) one pixel by one pixel in size and embedded on a Web site or in an e-mail that is used to monitor the user’s activity while visiting the Web site or viewing/sending the e-mail. The information that is normally gathered by the Web bug when a user visits a Web page (and thereby downloads the image) is the IP address of the user’s computer, the time the Web bug was viewed and for how long, the type of browser that downloaded the image, and information contained on cookies. Web bugs are typically used by a third-party to monitor the activity of a Web site. Sometimes a Web bug can be detected by viewing the source code of a Web page and looking for any IMG tags in the code that load from a different server than the rest of the site. The user can block Web bugs from monitoring his or her Internet activity by disabling cookies in the browser used to navigate the Internet. If the user disables cookies in the browser the Web bug will still account for an anonymous visit, but will not collect any personally identifiable information. See Christopher Saunders, Congressional Group to Study Web Bugs, (February 9, 2001), at http://www.internetnews.com/IAR/article.php/12_584741.
Cookies (named after the Unix programming concept of ‘magic cookies’) are small text files located on a computer’s hard drive that contain messages which are read by Web servers. These small text files are downloaded by a user through his or her browser from a Web server. After downloading the text file, the browser stores the downloaded message on the computer’s hard drive. This text message can then be transmitted back to the server every time the browser requests a Web page from the server. Cookies enable a server to identify users and prepare customized Web pages for them. When a user enters a Web site using cookies, he or she may be asked to fill out an online form providing such information as his or her name and interests. This information is converted into a cookie and sent to the user’s Web browser which stores it for subsequent use. The next time the user goes to the same Web site, the user’s browser will transmit the cookie to the Web server. The server can use this information to present the user with custom Web pages (e.g. instead of seeing just a generic welcome page the user might see a welcome page with his or her name on it). Because of the many benefits of the customization enabled by cookies, cookies have become very popular and are commonly used today on ecommerce Web sites. Viktor Mayer-Schonberger, The Cookie Concept, at http://www.cookiecentral.com/content.phtml?area=2&id=1; Marc Slayton, An Introduction to Cookies, (November 7, 1996), at http://hotwired.lycos.com/webmonkey/webmonkey/geektalk/96/45/index3a.html.
12 The term “brick-and-mortar” company is used to distinguish companies with more traditional business models from “dot-coms” which typically start and exist almost exclusively on the Internet and whose primary contact with consumers is through a Web site (or through other online methods such as email).
13 See Robert L. Eisenbach III, The Internet Company's Customer List: Asset or Liability?, 18 Computer & Internet Law 25, 25 (2001) (stating that brick and mortar businesses regularly purchase and sell customer lists).
For example TRUSTe, an independent privacy seal program, has opposed the sale of consumer data to third parties. For further information about TRUSTe’s opposition to the sale of consumer data to third parties, go to their Web site at http://www.truste.org.
15 The differences in the U.S. and European approaches to this issue will be explored at length, infra, Part II.
site’s information collection and use practices. Privacy policies have
risen in popularity recently as online privacy has become a hot topic.
One bankruptcy and ecommerce attorney notes that the typical privacy
policy does 5 things:
19 In re Toysmart, LLC, No. 00-13995-CJK (Bankr. D. Mass. filed June 9, 2000).
20 For example the Consumer Internet Privacy Enhancement Act. H.R. Res. 313, 106th Congress (1999) (requiring certain online companies to obtain affirmative consent before transferring personally identifiable information to third parties).
“Ecommerce” is short for electronic commerce and is defined as conducting business online (or over the internet). See Webopeia.com’s definition of ecommerce at http://www.webopedia.com/TERM/electronic_commerce.html.
22 The European Union (“E.U.”) is an international organization that represents the combined interests of its member states: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, and the United Kingdom.
23 Council Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data 1995 (O.J. 95/L281) [hereinafter “Directive”].
24 Memorandum on the Accession of the European Communities to the Convention for the Protection of Human Rights and Fundamental Freedoms, adopted by the Commission on April 4, 1979, Bulletin of the E.U., supp. 2/79.
25 Issuance of Safe Harbor Privacy Principles and Transmission to European Commission, 65 Fed. Reg. 45, 666 (Department of Commerce 2000).
26 Companies who wish to do business in Europe through the Internet must comply with Safe Harbor. Id.
27 Suggestions to not enact proposed legislation are also made. The treaty suggested is one between the United States and countries with which it does substantial international business.
28 MICHAEL J. HERBERT, UNDERSTANDING BANKRUPTCY 1 (1995).
30 Id. at 3 - 5.
31 Id. at 5.
32 Id. Note also that other consequences of bankruptcy, such as bankruptcy remaining on a debtor’s credit report for 10 years, make it difficult for a debtor to get a fresh start. Id. at 6.
33 Id. at 1; BRUCE G. CARRUTHERS & TERENCE C. HALLIDAY, RESCUING BUSINESS 35, 36 (1998).
34 CARRUTHERS & HALLIDAY, supra note 33 at 36, 37.
36 In bankruptcy law, the “estate” refers to the legal entity (not the debtor) that is created by the bankruptcy proceeding. The “trustee” (and the similar “Debtor-in-Possession”) is the administrator of the property of the estate. See HERBERT, supra note 28 at 19.
37 See 11 U.S.C. § 365.
38 In re Hardie, 100 B.R. 284 (Bankr. E.D.N.C. 1989); In re Norquist, 43 B.R. 224, 225 (Bankr. E.D. Wash. 1984).
39 CARRUTHERS & HALLIDAY, supra note 33 at 37.
41 See 11 U.S.C. § 365.
42 For example, as noted supra in Part II A i, competing interests include debtors versus creditors’ interests, and creditors versus other creditors’ interests.
John Rendleman, Customer Data Means Money, Information Week (August 20, 2001), at http://www.informationweek.com/story/IWK20010816S0008 (noting that some companies spend up to 25 million dollars annually on consumer data).
44 Agin, supra note 16, at 14.
48 Privacy policies are discussed under both the Contract Law and Property Law sections of this comment below.
49 See Toibb v. Radloff, 501 U.S. 157, 163-164 (1991).
51 In other words, an offer to do business.
52 E. ALLAN FARNSWORTH, FARNSWORTH ON CONTRACTS I, 61-64 (1990).
55 Id. at 64.
57 RESTATEMENT (SECOND) OF CONTRACTS, § 75.
58 FARNSWORTH, supra note 52, at 85.
60 54 U.S.P.Q. 2d, 1344 (2000).
61 The license agreement included a provision stating that anyone going beyond the home page agrees to the terms and conditions set forth in the license agreement. Id.
62 Ticketmaster Corp., 54 U.S.P.Q. 2d, 1344 (2000). Note that many Web sites will force visitors to click on an “agree” button before purchasing a good or service, or before accessing the Web site generally.
64 Id. Thus a Web site visitor could access the Web site without ever knowing of the existence of the license agreement.
66 306 F.3d 17 (October 1, 2002).
67 Id, at 20.
68 See 11 U.S.C. § 365.
69 See Andrew B. Buxbaum & Louis A. Curcio, When You Can't Sell to Your Customers, Try Selling Your Customers (But Not Under the Bankruptcy Code), 8 Am. Bankr. Inst. L. Rev. 395, 402-403 (2000).
70 Vern Countryman, Executory Contracts in Bankruptcy: Part I, 57 Minn. L. Rev. 439, 460 (1973).
72 This analysis is not meant to address the less typical situation where the consumer has fully performed and the dot-com has gone bankrupt and cannot perform at all (i.e. it cannot perform its substantive end of the bargain). In such a case the consumer is one of the dot-com’s creditors and has a claim to the insolvent debtor’s assets (including value obtained from consumer data). See 11 U.S.C. §§ 101, 501 & 502.
73 See Buxbaum & Curcio, supra note 69, at 403.
74 See 11 U.S.C. § 365.
77 In effect, the successor in interest takes the place of the debtor and the consumer remains in the same position as before the sale.
78 Section 541 of the Bankruptcy Code defines the bankruptcy estate as including “all legal or equitable interests of the debtor in property as of the commencement of the case.” 11 U.S.C. § 541 (a)(1).
79 The information about consumers could of course be anything that the dot-com has asked for and received from the consumer; e.g. address, age, occupation, etc.
80 A Web form is simply any form used on the Internet. It is employed for the same purposes as hard copy forms, and generally consists of questions asking about various things regarding the Web site visitor.
81 Miller & O'Rourke, supra note 18, at 784.
For example, note the questionnaires that must be filled out before purchasing goods from online retailers such as Amazon.com, or participating in auctions on services related Web sites such as Ebay. See http://www.amazon.com and http://www.ebay.com respectively for examples.
84 I make this assertion based on experience and conversations with others who regularly purchase goods or services online.
Stephanie Dunnewind, The card game: As more grocery chains deal out discount cards, shoppers take sides: savings versus privacy, The Seattle Times Northwest Life, (May 22, 2002), at http://seattletimes.nwsource.com/html/northwestlife/134454177_shopcard15.html.
86 Miller & O'Rourke, supra note 18, at 782.
88 Id. at 784.
89 See 63 AM. JUR. 2D Property 1, at 66-67 (1997).
90 See BLACK’S LAW DICTIONARY, (6th ed.).
91 JOHN G. SPRANKLING, UNDERSTANDING PROPERTY LAW 1.03 [B], at 4-5 (2000).
92 D.F. Libling, The Concept of Property: Property in Intangibles, 94 L.Q. Rev. 103, 104 (1978).
93 See Dwyer v. Am. Export Co., 652 N.E. 2d 1351 (Ill. App. Ct 1995) (stating that a customer’s name has no value in and of itself, but becomes more valuable to companies as more and more names are added to the list and categorized in some meaningful way).
94 See, e.g., Avery Dennison Corp. V. Kitsonas 118 F. Supp. 2d 848, 854 (S.D. Ohio 2000); Heritage Benefit Consultants Inc. v. Cole, No. CV001622705, 2001 WL 237240, at 7 (Conn. Super. Ct. Feb. 23, 2001); Strata Mktg., Inc. v. Murphy, 740 N.E. 2d 1166, 1177 (Ill. App. Ct. 2000).
95 Uniform Trade Secrets Act 14 U.L.A. 437, et seq. (1985).
96 Uniform Trade Secrets Act 1 (amended 1985).
97 11 U.S.C. § 541.
98 Ackerman v. Kovac (In re All Am. Petroleum Corp.), 259 B.R. 6 (January 31, 2001) (treating customer lists as property); Phillips v. Diecast Marketing Innovations, L.L.C, 2000 Bankr. LEXIS 615 (February 28, 2000) (stating in relevant part “The debtor’s bankruptcy estate also includes customer lists…”).
99 See generally Domingo R. Tan, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union, 21 Loy. L.A. Int'l & Comp. L.J. 661, (1999). This is not to say the United States does not view privacy as an important right. See Griswold v. Connecticut, 381 U.S. 479 (1965) (finding a right to privacy).
See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at http://www.export.gov/safeharbor/sh_workbook.html.
1950, E.T.S. No. 5 (hereafter “ECHR”). The ECHR text is available at http://www.echr.coe.int/Convention/webConvenENG.pdf.
102 IAIN CAMERON & MAJA KIRILOVA ERIKSSON, AN INTRODUCTION TO THE EUROPEAN CONVENTION ON HUMAN RIGHTS, 23 (1993).
103 Dec 10 1948, G.A. Resolution 217 (A)III 1948. UN Doc A 1810.
104 CAMERON & ERIKSSON, supra note 102, at 23. Article 12 of the UDHR provides, “No one shall be subjected to arbitrary interference with his privacy, family, home and correspondence, nor to attacks on his honor and reputation. Everyone has the right to the protection of law against such interference or attacks.”
105 EHCR art. 8.
106 The Commission is established by the ECHR to ensure the observance of the ECHR. See ECHR art. 19.
107 Id at art. 24.
108 Id. at art. 25.
111 Directive 95/46/EC.
112 Tan, supra note 99, at 676.
113 Directive 95/46/EC.
See Data Protection, at http://europa.eu.int; http://www.haledorr.com/pdf/data_protection_law.pdf.
Directives are passed by the European Council to harmonize differing laws of member nations on a particular issue. If the law of a member nation conflicts with a directive, the provisions of the directive prevail. The EU developed the Directive "to avoid the complex [sic] and burden of having 15 different national privacy laws." The EU Data Protection Directive: Implications for the U.S. Privacy Debate: Hearing Before the Subcomm. on Commerce, Trade and Consumer Protection, House Comm. on Energy and Commerce, 107th Cong. 43 (2001) (testimony of David Aaron). Available at: http://energycommerce.house.gov/107/hearings/03082001Hearing49/.
See Sarah H. Wright, Technology makes privacy harder to safeguard, panel notes, (November 1, 2000), at http://web.mit.edu/newsoffice/tt/2000/nov01/stratton.html.
117 Directive 95/46/EC, art. 6(1)(b).
118 Id. at art. 2(b).
119 Id. at art. 7(a)-(b).
120 Id. at art. 7(c) – (f).
121 Id. at art. 12.
123 Id. at art. 6.
128 Id. at arts. 25-26.
131 Id. at art. 26.
See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at http://www.export.gov/safeharbor/sh_workbook.html.
135 Note that even a recent democratic (democrats being traditionally known for being more likely to be hands-on politicians) President, Bill Clinton, would be considered a moderate interventionist at the most when concerning the Internet. See President William J. Clinton, White House Press Release (July 1, 1997) (arguing for a hands off governmental policy for cyberspace).
See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at http://www.export.gov/safeharbor/sh_workbook.html.
137 Griswold v. Connecticut, 381 U.S. 479 (1965). Specifically the First Amendment's provisions for freedom of expression and association, the Third Amendment's protection against quartering solders in one's home, the Fourth Amendment's protection against unreasonable searches and seizures, the Fifth Amendment's due process clause and freedom from self-incrimination, the Ninth and Tenth Amendments' freedom for people to retain power over state, and the Fourteenth Amendment's due process clause and equal protection clause have all been interpreted to create what has been described as a right to privacy – created out of the ‘penumbra’ of rights found in the constitution. GEOFFREY R. STONE ET AL., CONSTITUTIONAL LAW, 810 - 920 (4th ed. 2001).
138 Jonathan P. Cody, Protecting Privacy Over the Internet: Has the Time Come to Abandon Self-Regulation?, 48 Cath. U. L. Rev. 1183, 1197 (1999). This is not to say that European legislation does not balance the right to privacy with other societal interests, but that with respect to such European legislation the right to privacy tends to ‘weigh more’ when balanced against other interests. See Tan, supra note 99.
139 David A. Castor, Treading Water in the Data Privacy Age: An Analysis of Safe Harbor’s First Year, 12 Ind. Int'l & Comp. L. Rev. 265, 271 (2002).
140 Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (1999).
145 5 U.S.C. § 552 (2000).
149 For example, the Internal Revenue Service cannot disclose information on income tax returns.
150 20 U.S.C. § 1232 (1994).
152 A consumer’s video rental history could be collected online (via a Web site that enables the consumer to rent videos online) and the VPPA would apply to such information just as it would to the more traditional means of collecting a consumer’s video rental history by simply keeping track of it in a brick-and-mortar rental store. However, this remains a very narrow class of information. Id.
153 15 U.S.C. § 6501 et seq. (1998).
See Online Consumers Now the Average Consumer, CyberAtlas, at http://cyberatlas.internet.com/big_picture/demographics/article/o,,5901_800201,00.html.
158 Beth Safier, Between Big Brother and the Bottom Line: Privacy in Cyberspace, 5 Va. J.L. & Tech. 6, 27 at para 75 (2000).
159 Federal Trade Commission Act, 15 U.S.C. § 41.
161 15 U.S.C. § 45.
162 103 F.T.C. 110, 214.
Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency's First Internet Privacy Case: Commission Establishes Strong Mechanisms for Protecting Consumers' Privacy Online (Aug. 13, 1998), at http://www.ftc.gov/opa/1998/9808/geocitie.htm.
For a more complete description of GeoCities’ services, go to its Web site at http://www.geocities.com.
See Complaint, In re GeoCities, at http://www.ftc.gov/os/1998/9808/geo-cmpl.htm.
Agreement Containing Consent Order, In re GeoCities, at http://www.ftc.gov/os/1998/9808/geo-ord.htm.
167 Alan E. Littmann, The Technology Split in Customer List Interpretation, 69 U. Chi. L. Rev. 1901 (2002).
168 In re Toysmart.com, LLC, No. 00-13995-CJK, (Bankr. D. Mass. 2000).
See First Amended Complaint for Permanent Injunction and Other Equitable Relief, at http://www.ftc.gov/os/2000/07/toysmartcomplaint.htm.
See FTC Sues Failed Website, Toysmart.com, for Deceptively Offering for Sale Personal Information of Website Visitors, (July 10, 2000), at http://www.ftc.gov/opa/2000/07/toysmart.htm.
Trusted Universal Standards in Electronic Transactions ("TRUSTe") is a watchdog organization which seeks to build users' trust and confidence in the Internet. TRUSTe, at http://www.truste.org/ (stating in part “When you see the TRUSTe seal, you can be assured that you have full control over the uses of your personal information to protect your privacy”).
175 John M. Wingate, The New Economania: Consumer Privacy, Bankruptcy, and Venture Capital At Odds in the Internet Marketplace, 9 Geo. Mason L. Rev. 895, 911 (2001).
See FTC Sues Failed Website, Toysmart.com, for Deceptively Offering for Sale Personal Information of Website Visitors, (July 10, 2000), at http://www.ftc.gov/opa/2000/07/toysmart.htm.
See Statement of Commissioner Mozelle W. Thompson, Toysmart.com, Inc, at http://www.ftc.gov/os/2000/07/toysmartthompsonstatement.htm.
184 In re Toysmart.com, LLC, No. 00-13995-CJK, (Bankr. D. Mass. 2000).
185 See Stephanie Stoughton, Toysmart.com List to Be Destroyed, Boston Globe, Jan. 30, 2001, at D7, available at 2001 WL 3916848.
186 See PROSSER & KEETON, HANDBOOK ON THE LAW OF TORTS, CH. 20 (5TH ED. 1984) (discussing the four common law torts of invasion of privacy).
187 Christopher F. Carlton, The Right To Privacy In Internet Commerce: A Call For New Federal Guidelines And The Creation Of An Independent Privacy Commission, 16 St. John’s J.L. Comm. 393, 422 (2002).
See Self-Regulation and Privacy Online, (July 13,1999), at http://www.ftc.gov/os/1999/9907/pt071399.htm
See TRUSTe Seal Programs, at http://www.truste.org/programs/pub_how.html.
TRUSTe’s “privacy seal” or “trustmark” is a graphic that “signifies to online users that the Web site will openly share, at a minimum, what personal information is being gathered, how it will be used, with whom it will be shared, and whether the user has an option to control its dissemination.” See Frequently Asked Questions, at http://www.truste.org/about/truste/about_faqs.html.
See TRUSTe Seal Programs, at http://www.truste.org/programs/pub_how.html.
See Privacy Organizations Reviewed, at http://www.perfectlyprivate.com/newsresources_org.shtml
See Mission Statement, at http://www.privacyalliance.org/mission/
Federal Trade Commission, Privacy Online: Fair Information Practices In The Electronic Marketplace, A Report To Congress (2002), at http://www.ftc.gov/reports/privacy2000/privacy2000.pdf.
The demand, in this case, is for an adequate level of privacy. Note that there is an ever increasing number of companies that provide consumer privacy products online. Just a few examples include: Anonymizer.com (at http://www.anonymizer.com/), which provides anonymous Internet surfing, Tropical Software (at http://www.tropsoft.com/), which provides password protection and encryption services, and Ziplip.com (http://www.ziplip.com), which provides encrypted email.
200 Robert R. Schriver, You Cheated, You Lied: The Safe Harbor Agreement and Its Enforcement by the Federal Trade Commission, 70 Fordham L. Rev. 2777, 2787-2788 (2002).
U.S. Department of Commerce, Safe Harbor Privacy Principles (2000), at http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm.
See Rebecca Sykes & Elizabeth de Bony, E.U.-U.S. privacy deal rotten, observers say, InfoWorld (2000), at http://www.infoworld.com/articles/en/xml/00/03/14/000314enharbor.xml.
See U.S. Department of Commerce, Safe Harbor Enforcement Overview (2000), at http://www.export.gov/safeharbor/ENFORCEMENTOVERVIEWFINAL.htm.
213 See 11 U.S.C. § 365 (allowing the rejection of executory contracts).
216 In re Toysmart.com, LLC, No. 00-13995-CJK, (Bankr. D. Mass. 2000).
218 A treaty between the United States and nations with which United States companies do most of their international business would obviously be the most beneficial (e.g. Canada, Mexico, Japan, E.U. member nations, etc.).
220 This enabling of targeted marketing also prevents waste in that marketing dollars can be spent targeting consumers who are more likely to be interested in the company’s products or services.
221 See Wingate, supra note 175, at 926.
The above discussion is intended to be a general commentary on legal issues. Each situation is different and this article is not intended as legal advice. Further, nothing in this article is intended to create an attorney-client relationship.